Akira Ransomware Bypasses MFA on SonicWall VPNs: SAMA Bank Defense Guide

Akira ransomware affiliates have escalated their long-running SonicWall campaign with a new capability that should keep every Saudi bank CISO awake at night: the ability to bypass multi-factor authentication on SSL VPN appliances. By harvesting one-time-password seed values from previously compromised firewalls, attackers are now logging in as legitimate users — even after passwords have been rotated and patches applied. For SAMA-regulated institutions, this development reshapes the perimeter risk model overnight.

How Akira Defeats MFA on SonicWall SSL VPNs

The technique exploits residual access from the original CVE-2024-40766 SSL VPN exposure. When that vulnerability was first weaponized in mid-2024, threat actors did not simply steal credentials — they extracted OTP binding configurations stored on the firewall, including the shared TOTP seeds that generate authenticator app codes. Even after victims patched the firmware and forced password resets, those seeds remained valid until each user manually re-enrolled their MFA token. Akira affiliates have spent months quietly cataloging these seeds, and recent intrusions confirm they are now being replayed at scale to walk past second-factor prompts as if they were the legitimate user.

Once inside, the playbook is brutally efficient. Arctic Wolf and Darktrace incident data show Akira encrypting full networks in under 60 minutes from initial VPN login, with heavy use of RClone for data exfiltration to Mega and Backblaze, deletion of volume shadow copies, and selective targeting of VMware ESXi hosts to maximize blast radius across virtualized core banking workloads.

Why the Saudi Financial Sector Is Squarely in Scope

SonicWall NSA and TZ-series firewalls are extremely common at branch offices, ATM aggregation sites, and DR data centers across the Saudi banking sector — often deployed by managed service providers years ago and rarely re-tendered. Many of these deployments share three dangerous characteristics: SSL VPN is enabled for branch staff and third-party vendors, MFA is bound to the firewall itself rather than to a separate identity provider, and patch cycles for edge appliances lag behind core systems. Each of those is a direct seam Akira's operators have proven they can exploit.

The financial impact is also asymmetric. Sophos reports the median ransom demand against financial services has reached USD 3 million — the highest of any vertical. For a mid-sized Saudi bank, that figure is irrelevant compared to the regulatory and reputational fallout of a single confirmed CSCC control failure published in the SAMA cyber incident registry.

Impact on Saudi Banks Under SAMA CSCC, NCA ECC, and PDPL

This campaign hits multiple regulatory pressure points simultaneously. Under the SAMA Cyber Security Framework and the more granular Cyber Security Controls for Critical Systems (CSCC), control 3.3.5 mandates strong authentication for all remote access to internal networks — explicitly including third-party and vendor connectivity. An MFA bypass through a stolen OTP seed is a direct CSCC finding, not a theoretical gap. The NCA Essential Cybersecurity Controls (ECC-1:2018) reinforce this through subdomain 2-3 on identity and access management, and ECC-2-3-1-3 specifically on multi-factor authentication for sensitive access. A breach involving customer PII would also trigger PDPL Article 20 notification obligations to SDAIA within 72 hours, with potential fines reaching SAR 5 million per violation.

Boards and audit committees should expect questions on this exact scenario in the next CSCC self-assessment cycle. SAMA's recent supervisory letters have made clear that pre-disclosure exploitation and known-vulnerability reuse will be treated as governance failures, not technical accidents.

Recommended Actions for SAMA-Regulated Institutions

1. Force a full MFA re-enrollment for every SonicWall SSL VPN user. Rotating passwords is not enough — the OTP seeds themselves must be invalidated and re-issued. Treat any firewall that was unpatched against CVE-2024-40766 at any point as compromised by default.
2. Migrate VPN authentication off the firewall and onto an external identity provider such as Microsoft Entra ID or Okta, with conditional access policies tied to device posture, geolocation (Saudi-IP only where feasible), and risk signals. This breaks the seed-theft attack chain entirely.
3. Disable SSL VPN where it is not strictly required and replace it with ZTNA for vendor and branch access. Where SSL VPN must remain, restrict it to a hardened jump network with no direct path to core banking, SWIFT, or card management environments.
4. Hunt for indicators of prior compromise: unusual RClone, FileZilla, or WinSCP execution; anomalous outbound traffic to Mega, Backblaze, or new cloud storage; PowerShell invocation of w.exe; and ESXi authentication anomalies. Akira's dwell time before encryption is short, but its reconnaissance leaves traces.
5. Update your third-party risk register. Any MSP that operates a SonicWall on your behalf is now an in-scope risk owner under SAMA TPRM expectations and should be required to provide written attestation of MFA re-enrollment and patch status.
6. Test the recovery scenario. Run a tabletop exercise assuming full ESXi encryption within one hour of VPN login, and verify that immutable backups, SAMA incident notification workflows, and customer communication templates are all rehearsed.

Conclusion

The Akira MFA bypass is not a new vulnerability — it is the predictable consequence of treating remote access perimeters as set-and-forget infrastructure. For Saudi banks, the regulatory message is unambiguous: SAMA CSCC compels you to assume the edge has already been touched, and to engineer compensating controls accordingly. The institutions that act this quarter will turn a high-profile global incident into an internal audit win. Those that wait will read about themselves in the next supervisory bulletin.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a focused review of your remote-access perimeter against CSCC, ECC, and PDPL requirements.